How can we help you today?

RFC 7208 TXT record DNS lookup limits

Modified on: Tue, 31 May, 2016 at 3:48 PM

https://tools.ietf.org/html/rfc7208#section-4.6.4

4.6.4. DNS Lookup Limits

Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not. The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.

SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS. If this limit is exceeded, the implementation MUST return "permerror".

The other terms -- the "all", "ip4", and "ip6" mechanisms, and the "exp" modifier -- do not cause DNS queries at the time of SPF evaluation (the "exp" modifier only causes a lookup at a later time), and their use is not subject to this limit.

When evaluating the "mx" mechanism, the number of "MX" resource
records queried is included in the overall limit of 10 mechanisms/ modifiers that cause DNS lookups as described above. In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.

If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

When evaluating the "ptr" mechanism or the %{p} macro, the number of
"PTR" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.

In addition to that limit, the evaluation of each "PTR" record MUST NOT
result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, all records other than the first 10 MUST be ignored.

The reason for the disparity is that the set of and contents of the
MX record are under control of the publishing ADMD, while the set of and contents of PTR records are under control of the owner of the IP address actually making the connection.

These limits are per mechanism or macro in the record, and are in
addition to the lookup limits specified above.